Windows XP is a breeding ground for rootkit infections

Aug 1 2011, 15:40 by
by Steve Ragan -

New research from Avast, the Prague-based vendor known for their free anti-Virus and Malware removal tools, shows that Windows XP installations are a perfect target for criminals spreading rootkits. And users are helping them along.

The six-month study ran by Avast Virus Labs, catalogued over 630,000 samples, and singled out Windows XP as the originating platform for rootkit problems. To break things down a bit, Windows XP was responsible for 74-percent of the rootkits found, followed by 17-percent on Vista, and 12-percent on Windows 7.

While old, Windows XP is still the top OS among Avast users, with an install base of 49-percent. Windows 7 (38-percent) is the second most common, followed by Vista (13-percent).

Rootkits are nasty pieces of Malware, and are nearly impossible to detect or remove. However, because rootkits are gaining traction, even companies who offer free Malware protection are advancing their products to better detect and remove them.

One of the reasons a rootkit is so painful, is that many of them are able to avoid detection while in operation by piggybacking on legitimate operating system or application processes. Yet, the data compiled actually pinpoints why Windows XP has such a rootkit problem among the Avast community.

“One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can’t be validated by the Microsoft update,” said Przemyslaw Gmerek, the Avast expert on rootkits and lead researcher.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data.”

Advancements made by Microsoft has allowed newer operating systems like Windows 7 to remain more resilient to rootkits. However, this does not mean they are immune to them.

Innovations like UAC, PatchGuard, and Driver Signing has helped, Avast explained, but they haven’t provided fail-proof security. Criminals continue to fine-tune their attack strategy with the Master Boot Record (MBR). A perfect example of this can be seen with the newest TDL4 rootkit variants.

Avast’s data shows that rootkits infecting a system via the MBR were responsible for over 62-percent of all rootkit infections. Moreover, driver infections made up 27-percent of the total. Alureon (TDL4 / TDL3) was responsible for 74-percent of infections detected and removed.

“People need to keep anti-Virus software installed and updated - regardless of where they got their operating system,” added Gmerek.

He will be presenting the full report during BlackHat this week in Las Vegas. Anyone concerned about rootkit infections is invited to use Avast’s aswMBR. Screenshots and additional information about the tool are here.

Like this article? Please share on Facebook and give The Tech Herald a Like too!